Out of Control

Noah Shachtman at Wiredand Marc Ambinder at The Atlanticare both reporting a doozy of a story regarding an event at F.E. Warren AFB this weekend, when a power failure resulted in 50 nuclear ICBMs going into “launch facility down” (LF down) status for approximately 45 minutes.

On Saturday morning, according to people briefed on what happened, a squadron of ICBMs suddenly dropped down into what’s known as “LF Down” status, meaning that the missileers in their bunkers no longer could communicate with the missiles themselves. LF Down status also means that various security protocols built into the missile delivery system, like intrusion alarms and warhead separation alarms, were offline.

In LF Down status, the missiles are still technically launch-able, but they could only be controlled by an airborne command and control platform like the Boeing E-6 NAOC “Kneecap” aircraft, or perhaps the TACAMO fleet, which is primarily used to communicate with nuclear submarines. “At no time did the president’s ability decrease,” an administration official said. Still, the Chairman of the Joint Chiefs of Staff, Adm. Michael Mullen, was immediately notified, and he, in turned, briefed Secretary of Defense Robert Gates.

He also quotes an anonymous military officer who states that “we’ve never lost complete command and control and functionality of 50 ICBMs.” The official Warren AFB response was one of reassurance, that there was no threat to the public, and that “redundant, safety, security and command and control features” were all in place. The cause of the power failure is unknown at this point, but no “malicious” activity is thought to have caused it.

Ambinder also quotes an administration official, who dismisses the situation somewhat, and says that “to make too much out of this would be to sensationalize it. It’s not that big of a deal. Everything worked as planned.”

Talk about sticking your foot in your mouth. Although this event wasn’t quite comparable to the infamous “nukes on a plane” SNAFU in 2007, an LF down event shouldn’t be dismissed as “not that big of a deal”, especially when viewed as part of the bigger picture of nuke-related screw-ups over the past few years.

Before I invite any commentary from missileers and others in the know, I’d like to mention one thing: this event comes at a critical time in terms of New START politics. There’s plenty of speculation regarding the Senate calculus after the midterm elections, and regardless of the fact that what happens with the ICBMs isn’t necessarily dependent upon the New START treaty, there will be a number of Senators who will try to gain as many concessions from the Obama administration as possible regarding “the M word“, as Jeffrey puts it (stockpile maintenance and upgrades). This weekend’s event at Warren AFB will undoubtedly be used to justify delaying a vote on the New START resolution, and will definitely result in some fireworks on the Senate floor.

I’m sure we’ll learn more about what happened at Warren AFB in the coming days and weeks, but share your thoughts and speculation. The floor is yours.

37 Responses to “Out of Control”

Andrew Tubbiolo | October 26, 2010

I liked this quote “At no time did the president’s ability decrease,” an administration official said. So, when the arms controllers of the world bring the number of deliverable nuclear arms to zero, will you guys please start attacking the king like aura people have been bestowing on the US Prez for the past 60 years? I mean really, my first reaction was … You have to be freaking kidding me they lost contact after only losing lines power? “At no time did the president’s ability decrease,” if that does not communicate the sad state of American politics I don’t know what else can communicate it. Seriously guys, if those are the first words out of the admin, the cause of arms control is sunk.

Captain Ned | October 26, 2010

Assuming the Atlantic article to be correct, the LCCs essentially DDOS’ed each other due to a bad piece of hardware.

Thinker | October 26, 2010

The timing is highly suspicious. This happens a couple of days before Iran begins loading fuel rods into it’s reactor and little over a week before the mid-term elections?

And the fact that the missiles could only be controlled from a remote location and not the President’s nuclear football during the power outage? Sounds a little too much like “Plan R” from Dr. Strangelove.

page | October 26, 2010

I don’t think there are any grand conspiracies here. It’s an infrastructure (wiring) issue, probably.

Smith | October 27, 2010

While I see your reasoning about how this could be construed as a foot-in-mouth statement, the official makes a valid point about it not being a big deal if the missiles controlled by the affected LCCs can be launched via ALCS. With my uninformed technical hat on, this event strikes me as a non-starter, seeing as how the system as a whole appears to have been designed to operate under the assumption that these kinds of issues might arise.

I do agree with you, though: bad timing for this particular hot potato.

It seems to me that the obvious solution is to take that money that was being lavished on NNSA, the labs and key facilities like UPF and CMRR and direct it toward fundamental infrastructure like power lines, back up generators, fuses, etc. That is what supports “safety and reliability” apparently; not whiz-bang new components, 3-D cross sections and the like. Then you satisfy Kyl and company and actually invest in what seems to be needed. I’d type more but my battery seems to b… BANG.

FSB | October 27, 2010

What we need are reliable replacement power lines.

Alan Tomlinson | October 27, 2010

While appreciating the Cold War history of MAD, honestly, if Obama lost the ability to launch 50 thermonuclear weapons for 45 minutes, or 45 days, I must say I don’t care. Fission and fusion weapons systems are designed to do one of two things:
a. end the world as we know it
or
b. rust
Either way, I see them as totally pointless and absurdly expensive. I’m sure that many of you will see me as naive, ignorant, stupid, mentally-defective, etc. I assure you, to the best of my limited abilities in this medium, I am not. I am simply convinced that these weapons are no longer useful.

Cheers,

Alan Tomlinson

mifi | October 27, 2010

I believe DoD is in control at this point, not NNSA.

Peter Brown | October 27, 2010

Why not blame Stuxnet?

Ada | October 27, 2010

I understand that this point is less obvious at first glance, but this incident is evidence for the argument that systems go wrong, which is pretty key to the nonproliferation case. What is more likely: that an incident like this would cause another state to launch an attack in the 50 minutes they were down or that it would cause the US government to panic and give off signals that would alarm other states? I would argue the latter. Similarly, if the choice is between a smaller and less active arsenal that will have short downs (presumably unknown to the rest of the world until they are over?) or huge arsenals that are held back by a wire and are more likely to accidentally launch or appear to do so, the latter seems much more dangerous.

John Schilling | October 27, 2010

I’m not sure your choice is necessary. The larger and more diverse an arsenal is, the less it is degraded by the temporary loss of e.g. a particular squadron of missiles. A large nuclear arsenal allows a robust series of inhibits against unintentional launch, conservative retaliatory doctrines (i.e. no launch on warning), and still remains an effective deterrent. If the United States had issued a press release during the incident announcing that fifty of our missiles were absolutely unavailable for the next half-hour, nobody in Moscow or Beijing would be rushing to the premier’s office saying “now is the chance to strike!”

But if the United States only had those fifty missiles…

We want our nuclear arsenal to be fail-safe, and in the engineering sense rather than the Hollywood sense. For something to be fail-safe, there has to be a failure mode that is, well, safe. In this case, that means if the wiring is cut, the computers get out of synch, whatever, the missiles can’t be launched via that channel, or maybe at all. Failures absolutely will happen from time to time, they absolutely must not result in nuclear missiles being launched, and we just saw evidence that the system works the way it is supposed to.

Demanding that the system must absolutely not launch any missiles without authorized command and absolutely must launch every missile when an authorized command is recieved, is quute unrealistic. Thus, it is desirable to have an excess of weapons allowing one to back off on the “must launch absolutely every missile on command” part.

I am quite skeptical of the claimed vulnerability of US missile squadrons to terrorist subversion; this sounds rather more like movie-plot terrorism than anything of real concern. I could be wrong, but it’s not a matter we should try to resolve in an open forum.

However, if there is a vulnerability, it is a vulnerability that has been present since the first Minuteman squadron was deployed, and isn’t particularly relevant to the discussion of how many additional squadrons are wanted or needed. Terrorists only need the one, and they mostly know how to read maps and drive cars so if there is only the one squadron that’s where they will be.

Bruce Blair | October 27, 2010

From my reading of the Atlantic version of this incident, it appears clear to me that the old LCC computers that operate on a time slot basis (the five computers in a squadron rotate access to the 50 missiles in their orbit every 1.5 seconds) went out of synchronization and had to be re-synched. This happens fairly rarely but is nonetheless an anticipated problem that is rectified with a standard checklist procedure. I trained in this procedure in the 1970s. It involves everyone turning off their computers, then the squadron command post LCC re-starting, and once successfully synched the rest of the LCCs re-start their computers. It’s takes about, well, 45 minutes. It’s kind of hair-raising and delicate but always works. I doubt a power failure had anything to do with this but perhaps some power flux at an LCC de-synched its 50s’-era-technology computer.

So for this short period the 50 ICBMs were not launchable by the LCCs and the airborne back-up system was not in position to launch them. If an order to fire had been received during this period, the war plan would have been executed without them in the initial salvo.

I stay in fairly close touch with the crews pulling alerts in the LCCs. Most have lost their sense of mission and morale is low. The cold war ended 20 years ago, and yet their training scenarios still revolve mainly around U.S.-Russian nuclear exchanges, which still invariably escalate to all-out nuclear war with the largest U.S. option executed to finish off the game. (This option is the real inside reference to “the crowd pleaser”). On 9-11, when they were locked down in their LCCs for several days, it dawned on the crews that their massive firepower could neither deter the main threat to the U.S. nor offer a useful tool in responding to the attacks. This decline of morale and concomitant decrease in discipline are major problems that further counsel against keeping nuclear weapons on launch-ready alert, but this had nothing to do with the incident in question here.
One last point: some accounts of this incident point the blame at faulty underground cabling. For reasons I won’t go into here, there is a distinct danger of unauthorized terrorist-induced launch associated with the thousands of miles of cables that inter-connect launch-ready Minuteman missiles inside their 9 separate squadrons.

FSB | October 27, 2010

So you are telling us that they use the same procedures and the possibly the same computers as you trained on in the 1970s.

Now I am worried.

How about Reliable Replacement Computers? An upgrade to the Atari or Commodore maybe?

“For reasons I won’t go into here, there is a distinct danger of unauthorized terrorist-induced launch associated with the thousands of miles of cables that inter-connect launch-ready Minuteman missiles inside their 9 separate squadrons.”

So our own ICBMs are a terrorist threat — maybe the Ruskis could fund a CTR programme to get rid of our dangerous nukes that are ready to fall into terrorist hands?

page | October 27, 2010

Dr. Blair,

Thank you so much for your comment. It’s particularly enlightening, especially this part:

So for this short period the 50 ICBMs were not launchable by the LCCs and the airborne back-up system was not in position to launch them. If an order to fire had been received during this period, the war plan would have been executed without them in the initial salvo.

Is this as sobering a security issue as it appears to be? Only one other person I know has mentioned this (see John Noonan’s comments on Twitter, part of a discussion we’re having this morning).

Smith | October 27, 2010

Is ALCS launch capability intact during this particular scenario if the airborne platform is aloft? Your wording seems to indicate that it could initiate a launch if it was in the air (and I’m guessing it probably wasn’t).

To FSB, regarding dated technology: this isn’t necessarily a cause for concern, provided the components receive regular attention and have been proven reliable. Plenty of technology runs reliably on decades-old technology; I had an ISS engineer tell me that they were running Intel 80386 processors until a recent upgrade to the Pentium. It’d be difficult to sell me on upgrading software and hardware for a specific system if there was no perceivable gain and a number of what-ifs regarding reliability and the potential introduction of new problems.

FSB | October 27, 2010

This is speculation and Dr. Blair could enlighten us, but I assume a somewhat more modern soft and hardware could accomplish the re-synching itself without waiting 45 min for a human led procedure.

That said, I agree we don’t need the latest Windows s/w — that may be more cause for concern.

Tom D | October 27, 2010

Would somebody say 50 out of “how many” so we know whether it is a big deal or not. My life was on a missile sub and we had plenty of capability to a make grand mark on the world if we had too even if 50 or more land based missiles went down, (or were destroyed).

George William Herbert | October 27, 2010

The US has 450 ICBMs deployed, I believe, all Minuteman-IIIs.

bradley laing | October 27, 2010

Please note: the U.S. has 450 ICBMs, with 500 warheads. Some ICBMs have more than one war head, most have only one warhead.

I assume the ones with more than one warhead are scattered throughout the system so that having 50 ICBMs knocked out does not knock out a dispraportionate amount of the deterrant.

–(Could I be wrong?)

FSB | October 27, 2010

You are right — except that 50 or so warheads makes no difference in deterrence at all.

Even 311 nukes total is more than enough to deter any potential enemies:

The suspiciously precise claim that 311 weapons would suffice (and the claim is “enough”, not “more than enough”) for effective deterrence is made, at least in the cited source, without supporting evidence or analysis. It is towards the low end of what I would estimate as sufficient, and I wouldn’t rule it out.

But if we are going to seek an absolute minimum deterrent, it is important that the calculations as to what a minimum deterrent is should include an explicit and realistic assessment of the number of weapons that just plain won’t work when called upon. Because if it does not, “311 weapons is sufficient” plus “we have 311 weapons”, adds up to “we must not implement any safety mechanism that might plausibly fail in the no-fire condition”

And that rules out a whole lot of safety mechanisms that I for one want applied to the arsenal. For the arsenal to be both adequately safe and adequately effective, I would want it to remain quantitatively effective even if an entire class of weapons is rendered temporarily inoperable by a systems failure.

Possibly 311 weapons would suffice for this, but I want to see the math. 450 might be a better number. Certainly 2000+ is more than enough, and the fact that fifty missiles of the present US arsenal were out of service for forty-five minutes one day is about as relevant to national security as the fact that Marine Lance Corporal Smith had a bad cold that day.

FSB | October 28, 2010

Well, it is tied rather intimately to the size of the Russian force and cannot be neatly divorced from that.

There is no US nuke arsenal size that can be arrived at by pure thought and quantitative reasoning alone.

If we can negotiate with the Russians and Chinese to bring down the numbers even 30 or 10 just on subs will suffice.

See Jeffrey’s essay on minimum deterrence for more details.

Mark Gubrud | October 30, 2010

John, as you may have noted from reading the paper by Prof. Forsyth, Col. Saltzman, and Prof. Schaub, all associates of the USAF, their “suspiciously precise” proposal of 311 warheads was based on a particular mix: 100 single-warhead ICBMs, 8 Ohio-class submarines at sea at any one time, each carrying 24 single-warhead missiles, and 19 B-52s each carrying 1 ALCM. So, only the number 19 seems a little arbitrary, but if it wasn’t chosen because of some existing number, it was probably chosen not to be too small. The group’s target was something in the neighborhood of 300 warheads.

As for the argument as to why this is sufficient, that is a matter of common sense vs. insanity. Would you start a war with someone who could hit you with 300 (or 311) nuclear warheads? Would anyone? It is crazy to think so.

3×10^2 warheads also happens to be the next half-decade down from where the US and Russia are today wrt strategic nukes, as well as about where the second-tier nuclear powers are. So it is a good interim target for the next stage of nuclear reductions before we try to engage the entire world in going lower, to 100, 30, 10, zero.

I think you are a smart enough engineer to know that there is no plausible basis for claiming that a more precise number is the correct one, as implied by your questioning the three-digit precision of “311.”

As for the number that won’t work, the US military used to claim that reliability would be very high, above 90%. Maybe maintenance standards have slipped a bit, I don’t know. If we cut down to 300, we ought to be able to do a better job of ensuring reliability. And anyway, is someone going to bet that nearly all of our weapons will fail?

John Schilling | November 1, 2010

I believe that the United States of America posessed greater than 311 deliverable nuclear weapons on 19 October 1950 (or 1 November if you prefer), so it is demonstrably not crazy to think that anyone might “start a war” with someone who could hit them with 300 nuclear warheads. It’s been done at least once. It is important to reflect on how and why.

Part of the problem with your analysis is that it is rarely as simple as deciding to “start a war”. Often the decision is made in the mistaken belief that it will not result in a war being started. Or based on the false premise that a war has already been started. There is also often confusion as to exactly who is going to be participating in the proposed war, and over what stakes.
Also, the guy making the decision has quite possibly been fighting a slightly different war for quite some time and maybe hasn’t slept in a week. This makes deterrence a rather trickier proposition than convincing a wonk in his peactetime office that nuclear wars are a bad idea.

The other part of the problem, the part more relevant to this discussion, is the part where you jump from a proposed arsenal of 311 warheads to “could hit you with 311 (or even 300) warheads”. If someone posesses 311 nuclear warheads, they cannot hit anyone with even 300 nuclear warheads. They can hit them with 311 warheads, less however many delivery systems malfunction or are isolated from communications, less however many are destroyed on the ground by enemy action, less however many are shot down by enemy defenses, less however many need to be kept in reserve against future threats. Anyone claiming even 90% of theoretical performance, for untested weapons systems in a shooting war, is smoking the strong stuff.

The closer we come to a minimal-deterrence regime, the more significant the difference between total warheads and credibly deliverable warheads becomes, a point which many simplistic analyses seem to neglect. Possibly Forsyth et al did give the issue due consideration, but I’d like to see that retained in subsequent discussion.

Is 311 nukes enough even if 50 or so are down for the count before the enemy even starts playing his games?
Might be, but let’s get the question right.

Mark Gubrud | November 2, 2010

John,

Before the proverbial ink was dry on my post I realized that the correct way to express the thought I had in mind was not that it was crazy to think that a war could start despite the existence of a 300 nuke deterrent, but rather, that it is crazy to think than the US is likely to face an opponent who would be deterred by 1500 strategic warheads but would not be deterred by 300, particularly if most of the latter are survivably-based.

I believe 90% reliability is about the record for unmanned space launches; perhaps you can correct me on that. I also believe the US military has historically claimed that reliability for US nuclear weapons (including delivery vehicles such as ICBMs) would be that good; perhaps somebody else can correct me on that.

So, derate that as you will; suppose the real number is 50%. First of all, how does an opponent know that, and second, which opponent is going to be deterred by 300 (or 1500) and not by 150?

All this is not to suggest that we can rely on any arbitrarily low number of nukes to keep the peace. Obviously the building of stable international norms and institutions and resolving pressing issues of human security are also essential. Also, we should remember that a short war of global conquest is unlikely for the time being, and nuclear disarmament will continue to be reversible on a time scale of months, therefore deterrence will continue to be a factor even after we achieve global zero.

Carey Sublette | November 2, 2010

Regarding weapon reliability:

The Trident D5 has had 120 consecutive successful launches since the conclusion of the test program in 1989. This puts its reliability at better than 99.2%. For the Minuteman III, hundreds of test launches have occurred since its deployment in the 1970s and with a bit of Googling have not been able to uncover any test failures since its deployment.

Warhead reliability is harder to estimate given the absence of a significant number of tests, but surveillance and maintenance standards are quite strict. Most “reliability findings” from stockpile surveillance are projected modest reductions in yield, not cases of non-performance. Is anyone aware of stockpile monitoring discovering significant numbers of non-operative weapons?

If we dealing only with long range ballistic missiles, then the number shot down should be quite small – given the general absence of effective ABM systems. In a world with drastically reduced arsenals, ABM system limits will necessarily also exist.

So the “failure rate” of missile warheads seem likely to be in the low single digits.

Bruce Blair | October 28, 2010

Regarding the back-up launch system — the Airborne Launch Control System comprised of Tacama E-6 fleet based in the midwest. There is a 33% chance that one of these planes was airborne at the time, but if so it would have likely not been in position near FE Warren to enable it to fire the missiles. (Normally, it uses a UHF radio fire control system that requires it to be within line of sight range of a missile silo antenna that would then re-transmit the launch command by underground cable to the rest of the 149 missiles there; that means it would have to be within about 150 miles from the nearest missile if its altitude is 35K feet. In any case, in peacetime (DEFCON 4) the airborne launch signals are blocked out by the missile silos. The silos will only accept the launch signals if the LCCs in their squadron refrain from sending a special command that blocks the airborne system and a timer runs out, or if the LCCs send an unblocking command. These things happen intentionally at DEFCON 3 or higher (elevated alert) or if the LCCs are cut off from the silos (as though LCCs were destroyed in an attack or, in this incident, cut off by a LCC computer problem. In this case, the airborne system even if in perfect position to launch the missiles would have been unable to do so until the default time-out expired (longer than 45 minutes).

Smith | October 28, 2010

Thanks for that – very enlightening.

Bruce Blair | October 28, 2010

correction: the airborne system launch command is re-transmitted by the receiving silo to the other 49 missiles in the squadron, not 149. So the launch planes need to inject a launch command into at least one silo in each of the 3 squadrons (50 msls each) at FE Warren.

Saurabh | October 28, 2010

can we look at this thing from Cyber war point of view?? i mean to say is it possible to control or Damage these systems by hackers / terrorists?

sorry, this may be a silly question but ….. still i want to ask this!

FSB | October 28, 2010

There is an air-gap so no internet issues, and given the Dr. Blair implies we are using 1970s technology no USB-stick issues either most likely. Pretty hacker tolerant.

That said, Dr. Blair’s comment on the terrorist threat via the cabling itself should be considered seriously, John’s comments notwithstanding.

WASHINGTON — The Air Force’s No. 2 officer yesterday said that the military has launched a months-long investigation into the engineering failure that took 50 intercontinental ballistic missiles temporarily off-line at F.E. Warren Air Force Base in Wyoming on Saturday (see GSN, Oct. 28).

[...]

During the review, Chandler said that officials will seek to confirm what happened. The four-star general said the initial readout is that it was a hardware malfunction, but he did not rule out evaluating any possible external causes.